[PATCH master 29/39] efi: loader: fix memory leak in efi_var_collect on buffer overflow

[Ahmad Fatoum]

When the variable buffer is too small, efi_var_collect() returns
EFI_BUFFER_TOO_SMALL directly without freeing the buf allocated by
calloc() at the top of the function.

Free buf before returning.

Co-Authored-By: Claude Opus 4.6 <noreply at anthropic.com>
Signed-off-by: Ahmad Fatoum <a.fatoum at pengutronix.de>
---
 efi/loader/efi_var_common.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/efi/loader/efi_var_common.c b/efi/loader/efi_var_common.c
index bd5af007ed9c..4c6cb77e7c2c 100644
--- a/efi/loader/efi_var_common.c
+++ b/efi/loader/efi_var_common.c
@@ -430,8 +430,10 @@ efi_status_t __maybe_unused efi_var_collect(struct efi_var_file **bufp, loff_t *
 		efi_status_t ret;
 
 		if ((uintptr_t)buf + len <=
-		    (uintptr_t)var->name + old_var_name_length)
+		    (uintptr_t)var->name + old_var_name_length) {
+			free(buf);
 			return EFI_BUFFER_TOO_SMALL;
+		}
 
 		var_name_length = (uintptr_t)buf + len - (uintptr_t)var->name;
 		memcpy(var->name, old_var->name, old_var_name_length);
-- 
2.47.3